(1) Field of the Invention
The present invention relates to a system for recording digitized data of content that is a work such as a movie to a large-capacity recording medium such as an optical disc, and playing back the content.
(2) Description of the Related Art
In order to protect the copyright of content that is a work such as a movie or music, playback apparatuses are given a plurality of device keys, and the content is recorded in an encrypted state on a recording medium, together with key data that is used for decrypting the content and that can be obtained only by a playback apparatus that is permitted to play back the content. One way of managing keys for generating this kind of key data is to use a tree structure.
Document 1 discloses a technique relating to a key management system that uses a tree structure, and in which the amount of key information is relatively small and individual keys are able to be revoked. Furthermore, Document 2 discloses a technique that is based on the technique in Document 1 and that relates to a digital content protection key management method that suppresses increases in the number of device keys held in advance by the playback apparatuses while reducing the amount of the key information recorded on the recording medium.
The following outlines the key management method disclosed in Document 1.
A key management organization manages device keys such that the leaves in a tree structure are in one-to-one correspondence with playback apparatuses. Each playback apparatus holds device keys corresponded with nodes positioned on the route from the root through to the leaf corresponding to the playback device. The key management organization encrypts one content and a media key MK used to decrypt the content, using a device key K which is the device key among all of the managed device keys that is shared by the greatest number of playback apparatuses. Then, the key management organization writes the encrypted media key E (K, MK) to a recording medium. Note that E(X, Y) denotes a ciphertext obtained by encrypting data Y with key data X.
Here, if a playback apparatus is internally analyzed and all the device keys held by the playback apparatus are exposed, the key management organization revokes the exposed keys, and selects, from among the remaining device keys, device keys that are shared by the greatest numbers of playback apparatus, and uses the selected device keys to encrypt the media key MK.
As shown in FIG. 11, in the case of a playback apparatus 0 being revoked, device keys Kf, Kb, and K1 are used to encrypt the media key MK, thereby generating ciphertexts E(Kf, MK), E(Kb, MK), and E(K1, MK), which are written to the recording medium.
Accordingly, the revoked playback device 0 is unable to obtain the media key MK since it does not have any of the device keys Kf, Kb, and K1, and only playback devices having any of the device keys Kf, Kb and K1 are able to obtain the media key MK.
Here, if the uniqueness of the device keys is lost, for example if respective values of the device key Kf and the device key k1 are the identical, the values of the ciphertexts E(Kf, MK) and E(K1, MK) recorded on the recording medium will be the same. This means that it will be publicly-known that the device keys Kf and K1 have the identical values.
If the playback apparatus 7 is later revoked, as shown in FIG. 12, the key management organization encrypts the media key MK with use of the device keys Kb, Kc, K1 and K6, and four ciphertexts E(Kb, MK), E(Kc, MK), E(K1, MK), and E(K6, MK) are recorded on the recording medium.
Here, since the device key Kf held by the playback apparatus 7 has already been exposed and because of the fact that it is publicly known that Kf and K1 are identical, there is a danger that an illegal party will use the exposed Kf to decrypt the ciphertext E(K1, MK) and thereby illegally obtain the media key MK. If in order to prevent such illegal acts the ciphertext E(K1, MK) is not recorded to the recording medium, a problem arises that the valid playback apparatus 1 becomes unable to obtain the media key MK and is revoked unjustly.
One example of a way of preventing the media key from being obtained illegally and a playback apparatus that should not be revoked from being revoked unjustly is to ensure (guarantee) the uniqueness of each device key. Specifically, since device keys are usually generated using a random number generator that generates a random number series, one method is to check, each time a device key is generated, whether or not the device key matches any previously-generated device keys. Here, the random number series is destroyed if a matching device key exists, and used if a matching device key does not exist.
However, in a large-scale system in which the number of playback apparatuses is in the billions, it is enormously costly in terms of time to check whether or not each generated device key matches previously-generated device keys. Even when the key management method in Document 2 is used, the same problem of the time taken to check the device keys arises.
Document 1
Nakano, Ohmori and Tatebayashi “Digital Content Hogo-you Kagi Kanri Houshiki (Key Management System for Digital Content Protection)”, The 2001 Symposium on Cryptography and Information Security, SCIS2001, 5A-5, January 2001.
Document 2
Nakano, Ohmori and Tatebayashi “Digital Content Hogo-you Kanri Houshiki- Ki-kouzou Pattern Bunkatsu Houshiki (Key Management System for Digital Content Protection- Tree Pattern Division Method)”, The 2002 Symposium on Cryptography and Information Security, SCIS2002, 10C-1, January 2002.